Algebraic Laws for Nondeterminism and Concurrency
MATTHEW HENNESSY AND ROBIN MILNER
University of Edinburgh, Edinburgh, Scotland
Abstract. Since a nondeterministic and concurrent program may, in general, communicate repeatedly with its environment, its meaning cannot be presented naturally as an input/output function (as is often done in the denotational approach to semantics). In this paper, an alternative is put forth. First, a definition is given of what it is for two programs or program parts to be equivalent for all observers; then two program parts are said to be observation congruent iff they are, in all program contexts, equivalent. The behavior of a program part, that is, its meaning, is defined to be its observation congruence class. The paper demonstrates, for a sequence of simple languages expressing finite (terminating) behaviors, that in each case observation congruence can be axiomatized algebraically. Moreover, with the addition of recursion and another simple extension, the algebraic language described here becomes a calculus for writing and specifying concurrent programs and for proving their properties. Categories and Subject Descriptors: F.3.2 [Logics and Meanings of Programs]:Semantics of Program- ming Languages-algebraic approaches to semantics General Terms: Theory Additional Key Words and Phrases: Communicating processes,observational equivalence
1. Introduction The denotational approach to the semantics of programming languageshas been well developed in recent years [ 1, 111and applied successfullyto many nontrivial languages.Even languageswith parallel constructs have been treated in this way, using the power-domain constructions of [3], [7], and [lo]. Indeed for such languagesthere is no shortage of possible denotational models. For example, there are severalsimple variations on the model for processes,introduced in [4]. In the face of such an abundance, it is best to recall the motivation for seeking such models. They provide a useful mathematical framework for the analysis of programs, and for developing logical systemsfor proving their properties. However, if either the mathematics or the logic is to have any relevance,a link must be made between the denotational model and the behavior, or operational semantics,of the programs. One way of making the link is to demand that the denotational model befully abstract with respectto the operational semantics.This means simply that two program phrases should have the same denotation if, and only if, the opera-
A preliminary version of this paper, entitled “On Observing Nondeterminism and Concurrency,” appeared in the Proceedings of the 7th Colloquium on Automata, Languages and Programming. Lecture Notes in Computer Science, vol. 85. Springer-Verlag, New York, Berlin, Heidelberg, 1980, pp. 299- 309. Those. portions that appeared in the preliminary are reprinted with permission of Springer-Verlag. Authors’ address: Department of Computer Science, James Clerk Maxwell Building, The Kings Buildings, University of Edinburgh, Mayfield Road, Edinburgh EH9 352, Scotland. Permission to copy without fee all or part of this material is granted provided that the copies are not made or distributed for direct commercial advantage, the ACM copyright notice and the title of the publication and its date appear, and notice is given that copying is by permission of the Association for Computing Machinery. To copy otherwise, or to republish, requires a fee and/or specific permission. 0 1985 ACM 0004-541 l/85/0100-0137 $00.75
Journal of the Association for Computing Machinery. Vol. 32, No. I, January 1985, pp. 137-161 138 M. HENNESSYAND R. MILNER tional meaning of every program remains unchanged when one phrase is replaced by the other. What exactly is meant by the behavior of nondeterministic or concurrent programs is far from clear and in this paper we put forth one possible definition. The essenceof our approach is that the behavior of a program is determined by how it communicates with an observer.We begin by assumingthat every program action is observable in this way; later we allow that some actions (in particular, internal communications between concurrent components) are not observable. We apply our d.efinition to a sequence of simple languages for expressing programs with finite behavior, and show that in each case it can be characterized by algebraic axioms. This leads automatically to a fully abstract model; it is just the initial algebra generated by the axioms. Moreover, a proper understanding of the finite case seerns a necessary prelude to a study of programs with infinite behavior. Such programs may be gained simply by adding recursion to our languages. In fact, with the alddition of recursion and with a natural extension to allow data valuesto be communicated between concurrently active agents,the simple algebra described here becomesa languagefor writing and specifying concurrent programs and for proving their properties. This languagewas introduced in [5]; it was partly the need for a firm basis for the algebraic laws discussed there that led to the present study of observation equivalence. In Section 2 we present our general framework. In Sections 3-6 we outline and summarize our results for the languagesconsidered. Proofs of the main results are contained in Appendixes A-C. The present paper is a full presentation, complete with proofs, of results first announced without proof in [2].
2. Observational Equivalence of Processes 2.1. EQUIVALENCE. In this section we introduce a way of defining equivalence between programs t.hat is based entirely on operational considerations; informally, two programs are equivalent when no observations can distinguish them. Further, two subprograms or program phrasesare congruent if the result of placing each of them in any progralm context yields two equivalent programs. Then, considering the phrasesas modules, one can be exchangedfor the other in any program without affecting the observedbehavior of the latter. However, much is left vague by this prescription. First, what are obse;ations? Second, how can they be used to distinguish programs? In this section we answer these two questions, thereby obtaining a precise notion of equivalence, and hence also of congruence. Note that the answer to the first question does not determine the answer to the second; observations may be used in many different ways to distinguish more or fewer programs. We cannot argue that our answer is best, only that it is natural; to this end, we give an alternative characterization of the resulting equivalence relation in Section 2.2. In the caseof deterministic sequential programs, the behavior of a program p is usually taken to be its input-output function IO(p). Here, an observation of p is taken to be a pair of states(or values):an input state and the resulting output state (if any). Then proyFamsp and q are equivalent, written p - q, if they yield the same observation sets; that is, if IO(p) = IO(q). The corresponding congruence relation -c is then defined as follows: p -c q if for every suitable program context 55[ 1, JZb] - .Y[q]. If the language is defined algebraically, that is, by operations Algebraic Laws for Nondeterminism and Concurrency 139 for constructing new programs from ones already defined, the wCturns out to be the largest congruence relation included in -. However, any satisfactory comparison of the behavior of concurrent programs must take into account their intermediate states as they progress through a computation, because differing intermediate states can be exploited in different program contexts to produce different overall behavior (e.g., deadlock). With this in mind, we now proceed to a more refined notion of behavioral equivalence, which we call observational equivalence. This notion may be defined for objects more general than programs, which (for the remainder of the present section) we shall call processes. Let P, then, be a set of objects that we may think of as processes.We take the view that any observation of p E P entails some participation by p itself; p is an active participant, as well as the observer. Thus, the act of observing a process changesits state. So if we adopt the familiar technique of identifying the state of a processwith the processitself, we can say that observation changesthe processinto a new process.This changemay not be deterministic; hence the effect of a particular type of observation-applied to an arbitrary process-may be captured by a binary relation over P. In general, we presupposea set Z of possible types of observation, so we then have a set (Ri C P x P, i E I) of observation relations. Using these relations, we define a sequence of equivalence relations -” over P (n 2 0), in such a way that N~+IC -,,, as follows: p m. q ifp, q E P (i.e., m. = P x P); p -n+l q if for every i E Z, (i) (p, p’) E Ri implies, for some q’, (q, q’) E R; and p’ -,, q’; (ii) (q, q’ ) E Ri implies, for some p’, (p, p’) E Ri and p’ -R q’. Then p and q are observationally equivalent, written p - q, if p -,, q for every n. Thus, we have defined - to be fl, -,,. In fact, we have taken - to be the limit n, E”( P x P), where E(S) is defined for any S G P x P as follows: (p, q) E E(S) if for every i E Z (i) (p, p’) E Ri implies, for some q’, (q, q’) E Ri and (p’, q’) E S; (ii) (q, q’ ) E Ri implies, for some p’, (p, p’) E Ri and (p’, q’) E S. Now if E has the property that E(fl, Sn) = fl, (E(S,)) for every decreasing sequenceS, of relations, that is if E is anticontinuous, then it follows from classical fixed-point theory that - is the maximum fixed-point of the map E of relations. Let us say that R C P x P is image-finite if, for each p E P, (p’ 1(p, p’) E RJ is finite. It turns out that the image-finitenessof each Ri, i E Z, is sufficient to ensure that E is anticontinuous, so the following theorem holds (seeAppendix A for the proof): THEOREM 2.1. Zf Ri is image-finite for each i E Z, then - is the maximum solution to S = E(S). Hitherto we have called i E Z a type of observation, and then an instance (p, p’) E Ri is a particular observation (of p). It can also be regarded as a communication betweenp and an observer;in some of the program languagesthat we introduce later we exploit this symmetry by representing communication between two processesp and q, running concurrently, as mutual observation between the processes. 140 M. HENNESSY AND R. MILNER For the present, we can also regard a single observation (p,, p’) E Ri as an atomic experimerit by the observer on p. A more complicated experiment may consist of a finite isequenceof atomic experiments. Let s be the sequencei, , . . , , i, in I (n L 0); then an s-experiment on p is a sequencepo, . . . , I),, where p. = p and (p&l, pk ) E R,. Thus, if p - q and some s-experiment leads from p to p’, then (assuming image-finiteness) by Theorem 2.1 there exists an s-experiment on q leading to some q’ such that q - q’. If we consider a computation as a sequenceof experiments (or communications), then the above remarks show that intermediate states are compared. In fact, if p is to be equivalent to q, there must be a strong relationship between their respectiveintermediate states.At each intermediate stage in the computations, the respective “potentials” must also be the same. The alternative characterization of observational equivalence given in Section 2.2 will help to shed further light on such intuitive discussions. However the principal reason for introducing this alternative characterization in the present paper is to justify our interest in the notion of observational equivalence despite its rather complicated delin:ition. Moreover, we will find it easierto compare it with simpler forms of equivalence that one might be tempted to define. One such equivalence is P -e q if for every s E P, p has an s-experiment if and only if q has an s-experiment. This identifies a processwith the set of s-experiments that can be performed on it and reflects the view of classical automata theory that identifies a machine with the language it accepts. The alternative characterization will make apparent the difference between observational equivalence and -e and will underline the deli- ciencies of the latter. 2.2. LOGICAL CHARACTERIZATION. The alternative characterization depends on the identification of a process with the properties it enjoys. Then we can say that two processesare equivalent if and only if they enjoy exactly the same properties. This is perhaps more illuminating in its negative form: two processes are inequivalent if one enjoys a property that the other does not enjoy. There are a number of parameters in this definition. First, it presupposesa set ti of properties. Second, we need a notion of a processp E P enjoying a property A E & This can be modeled as a binary relation l= C P x &I We write l= in an infix manner and ,DI= A may be read “p enjoys the property ‘A.” Let d(p) be the set of properties enjoyed by p, that is, d(P) = M P I= 4. An equivalence between processescan be defined as follows: P -sl 4 if M(P) = -Wq) for p, q E P, We now introduce a particular set of properties and a particular satisfaction relation for which it will follow that
P-4 if and only if P -d 4. The properties in question are rather general, but they depend on the set of observation relations (Ri G P x P, i E I) given in the previous section. They are best expressedas formulas in a simple modal language3 Yis defined by extending propositional logic with a set of modal operators, 0, one for each observation Algebraic Laws for Nondeterminism and Concurrency 141 relation R;. The connectives of propositional logic have their usual meaning and a process p will enjoy the property @A, that is, p = @A, if there is an i-experiment (p, p’ ) such that p’ enjoys the property A. The language looks deceptively simple, but it derives its power from the ability to define the dual modal operators E/ from @ using negation. We now give the relevant definitions. Let the language Y of formulas be the least set such that
(ii) A,BEY+AABE~1AE~ (iii) AE=YandiEZ+@AEZ The satisfaction relation l= C P x 2’ is the least relation such that (i) p l= T for all p E P, (ii) pl=A A BiffpKAandpl= B, (iii) p I= 1A iff not p I= A, (iv) pl= @Aifff or some i-experiment (p, p’), p’ I= A. In examples and later discussion we adopt the following convenient notations: F stands for ‘T, A V B stands for l(lA A lB), A stands for @ . . . @A, where s = i, . . . i,, n I 1, 84s stands for l@lA. We say p is s-deadlocked if there are no s-experiments on p. From the definition of the satisfaction relation we can now interpret many simple sentencesas assertions about the possibility of deadlock.
Examples (a) p l= @T: It is possible to carry out an s-experiment on p. (b) p l= ElF: p is s-deadlocked. (c) p E @(OF V OF): It is possible, via an s,-experiment, to get into a state that is either sz-deadlocked or s3-deadlocked. (d) p t= lQ(@F): At the end of any sl-experiment, an s2-experiment that will leave the program in a state that is s3-deadlocked is possible. Note that it is the interleaving to arbitrary depth of the two model operators 0, Cl that gives the language its power. Although we do not here develop 5? into a logic for reasoning about programs, it is worth noting that as a language it is endogenous by Pnueli’s classification [8]. This means that a formula states something about the ‘world’ of a single program, in contrast to exogenous logics such as Dynamic Logic [9] where parts of programs may be constituents of formulas. Let Y(p) = (A E z p l= A]. Thus, Y(p) is the set of properties enjoyed by the process p. THEOREM2.2. If each Ri is imagefinite then P-4 if and only if P(P) = -xd. This characterization theorem (proved in Appendix A), together with our ex- amples, which indicate that in 28 it is possible to discuss deadlocking properties of processes, encourages us to believe that our notion of observation equivalence is natural. 142 M. HENNESSYAND R. MILNER Moreover, we shall see that each connective of 9 is important; by removing first negation, then conjunction, from LY we obtain characterizations of progres- sively weaker equivalences.It is of some interest to examine these weaker equiva- lences, and the rest of the present section is devoted to this task. However, the reader may note th;atthe work in later sectionsis only concerned with observational equivalence for various setsRi. For any set of formulas Y C 9 let p-yq ifforevery AEE pi=A ifandonlyif qi=A. If .9 is the empty set then -9 identifies all processes.The larger we make E the more discriminating the equivalence relation -9 becomes.Theorem 2.2 statesthat - coincides with -9. The two setsof formulas just mentioned are L# = {A E g A does not contain 1) /y = (A E A, A does not contain A ). It is not difficult to establish that THEOREM 2.3 P -e 4 if and only if P-MY* This result emphasizesthe weaknessof-e; within JV we cannot define q or F, which are essential to express properties concerning deadlock. In Section 3.2 we will use the experiment relations defined in Section 3.1 to show that, in general, -e is weaker than -. We will also give an example to show that it is weaker than -Av which in turn is weaker than -. Anticipating these examples, it is reasonable to ask if there is a natural characterization of -4 in terms of the experiment relations Ri, similar to the characterizations in Theorems 2.2 and 2.3 for -9 and -A, respectively. !3uch a characterization can be obtained by considering the asymmetric version of the relation E, used in Section 2.1 to define -. For any S C P x P let AE(S) be defined by (p, q) E AE(S) if for every i E Z, (p, p’) E Ri implies, for some q’, (4, 4’) E Ri and (p’q’) E S. Let (i) IZ, be P x P, (ii) Cn+, be A&,). and let PL4 if for every n 2 0, p iIn q.
If each Ri is image finite, then we can modify Theorem 2.1 to show that C is the maximal solution to S = AE( S). In general the relation & is reflexive and tr&sitive but not necessarilysymmetric. We let = denote the natural equivalence relation it generates,5 fl 7. Surprisingly it turns out that in general z is much weaker than -. An example&l be given in Section 3.2. However, we do have THEOREM 2.4. Zf each Ri is imagefinite, then P=q if and only if P -A 9. Algebraic Laws for Nondeterminism and Concurrency 143 In Section 3.2 we will also present examples that show that -,,, n 2 0 and IIn, n 2 0 are true hierarchies; that is, we will give processespn, q,,, n 2 0 such that Pn -n qn, pn Cn qn, and P” *,,+I qn, P,, I$ n+, qn for every n = 0. These remarks show that various notions of equivalence of processescan be defined starting from either experiment relations or sets of properties that one expects processesto enjoy. In the present setting observational equivalence, -, seemsthe most natural and in the remainder of the paper we study its application to finite programs. We consider two different types of atomic experiment, and in each case we show that the congruence generated by the equivalence can be algebraically characterized.
3. Application to a Simple Nondeterministic Language In the previous section we showed how to defme observational equivalence over an arbitrary set P of processesor agents in terms of an indexed family (Ri ] i E I) of binary relations over P with the finite-image property. In this section, we introduce a simple languagefor defining processes.Intuitively, every program in the language defines a nondeterministic finite machine, and, associated with every possible action i that a machine can make, we have an experiment relation Ri. This relation corresponds to the performance of an action i by the machine. In fact, we have two different sets of experiment relations, depending on whether or not the machines can perform actions that are not observable. This leads to two different observational equivalences -, = over programs. The language we use for defining machines is simply the word algebra W, over a signature Z. This approach has certain advantages.It introduces structure on the machines in that each operator in the signature can be viewed as a constructor: a method for defining a new machine in terms of existing machines,which are called its constituents. Moreover, the behavior of the new machine is uniquely determined by the behavior of its constituents. This will be reflected in our definition of the experiment relations Ri; the result of applying an experiment to a machine depends entirely on what happens when we apply experiments to its constituents. Another advantageof this structural view of machines is that we can augment the signature, thereby increasing the descriptive power of the language. The definition of the experiment relations on the extended language can be given simply by adding clausesto cover the new constructors. Indeed, this is the approach in the present paper and by Section 5 we have all of the operators of the languageCCS [6] in our signature apart from recursion. In general, - (or =) may not be a congruence with respect to the operations of W,; this is to say that a pair of words p, p’ may satisfyp - p’ but there may be a context JZ[ ] (i.e., a word with a hole in it, or equivalently a derived unary operation over W,) for which U[p] - Z?[p’]. (- is a congruence if and only if p - p’ implies Z[p] - %[p’] for every %[ I.) Thus, observational equivalenceof two words does not guarantee that one may be exchanged for the other without observabledifference. We therefore define observational congruence uc over IV, as follows: P -c P’ if for all contexts Z[ 1, Y[p] - %[p’]. It is easyto check that this is a congruence, and is moreover the largest congruence contained in -. 144 M. HENNESSYAND R. MILNER The definition of -C is in general complicated and a direct proof that p -C p’ for a particular pair of words p, p’ is quite difficult. Our aim is to provide an alternative proof method for dleriving such statements.We isolate properties of-c (and zC) as axioms. One can tlhen derive statements such as p -C p’ by using these axioms to transform p into ,p” or vice versa. In fact, for each of the languagesconsidered we show that -C (and zC) can be characterized completely by an appropriate set of axioms; that is, p -rCp’ if and only if we can derive p = p’ from the axioms using substitution. In general, this is false if we add recursion to the languages.However, the axioms together with some form of induction are a powerful proof method for deriving observational congruence. In the remainder of this section we present a signature t: I and define experiment relations Ri over u/,, in two distinct ways. For each way, we give a set of equational axioms that induce exactly the observational congruence determined by the rela- tions. 3.1. THE SIGNATURE Z, = M U (NIL, +). Let M be an arbitrary set, repre- senting the atomic actions that may be performed by a program. We shall let p, v range over M. The words IV,, may be regarded as perhaps the simplest language for finite nondeterministic programs built from M, together with the null program NIL, a nullary operator representing termination, and the binary operator + representingchoice. The membersof M, which are unary operators, may be thought of as prefixing an atomic action to a program. As an example, the program
P = PI(PZ(NIU + M(cc~(NILN) may first perform cclonly; thereafter, it may perform p2 and terminate, or perform pl then ~2 and terminate. We now suppose that an atomic experiment consists in observing an atomic action; then the relations (R, 1P E M} are defined as the smallest relations over IV,, satisfying the following conditions (we write 14,for R,):
(-+ 1) AP) 3,. (+ 2) If p -% p’, th.enp + q 14,p’. (+ 3) If q 14,q’, then p + q 3 q’. Thus, the s-experiments (S E M*) possible for the program p above are the paths of the following tree:
PI \ ~Q(NIL) clz\ NIL We now proceed to examine the observational equivalence - derived from the experiment relations R, determined above and its associatedcongruence -C. First, we note that in thinsparticularly simple case - itself is indeed a congruence, and therefore identical with -C. PROPOSITION (1) - is a congruencerelation over W,, . (2) - is identical with -C over W=,. Algebraic Laws for Nondeterminism and Concurrency 145 PROOF (1) It is only necessary to show that pl - p2 implies p(pl) - 4~2) and that PI - P2, 41 - 42 imply PI + 41 - p2 + 42. The details are straightforward in terms of the definition of - in Section 2. (2) -C is the largest congruence included in -, which is clearly - itself. q Second, we look for simple “equational” properties of the congruence. It turns out that ( IV..,/-,, +, NIL) is an Abelian monoid, with absorption. PROPOSITION. The following hold for all pI, ~2, p3 E W2,:
(1) PI + (Pz + P3) -c (PI + P2) + P3, (2) PI +p2 -cP2 +PI, (3) PI + PI -c PI, (4) PI + NIL -c PI. PROOF. In each case, denoting the left and ri t sides by ql, q2 we can show from the definition of 3 that q1 3 q iff q2 +P q; the result then follows di- rectly. Cl Note that the distributive law p(pI f p2) uC I + p(p2) fails. For consider the two programs
PI = PI(PZ(NIL) + I.Ls(NIL)), P2 = /.Q~zWIL)) + M(cL~(NIL)). We have pI -% r2(NIL) + pJ(NIL), whereas p2 * pz(NIL) and p2 % r3(NIL); neither of the two successors of pz under & is equivalent to the suc- cessor of pI . The first property proved in the proposition justifies the use of the following convenient notation; we write if n > 0, in place of ClIPINIL + *** + CLnPn ,jssnMA { if n = 0, knowing that the notation is unambiguous up to -C. (From now on, pp stands for p(p).) Moreover, the first and fourth properties allows us to assume that any program p can be expressed (up to -,) in the form Cr+i=n pipi, where each pi is again of the same form. We shall call such an expression a normal form for p. This normalization is a necessary tool in proving the main result of the present section, namely that the four “equations” of the last proposition are complete, in the sense that any other valid equation between programs may be derived from them. For we have the following completeness result: THEOREM 3.1. The observational congruence -= over W,, is exactly the congru- ence induced by the four axioms (Al) x + (y + z) = (x + y) + z, (A2) x + y = y + x, (A3) x + x = x, (A4) x + NIL = x. PROOF. Let =l be the congruence over W,, induced by (Al)-(A4). By the previous proposition, -= satisfies these four axioms, whence p “I q implies p uc q. We first prove the converse for normal forms p and q, by induction on their structure, noting that p % p’ implies that p’ is a subterm of p. We therefore as- sume that p and q take the forms Cm uipi and C,, vja. 146 M. HENNESSYAND R. MILNER
Assume that p uc q. Since p -% pi, then, for some q’, q % q’ and pi -C q’. But q’ must be qj for somej, with vj = pi, and by induction pi =I a. So such a j must exist for each i, and by symmetry for eachj there exists i such that pi = I a also. It then follows from axioms (Al)-(A3) that p s1 q. Finally, in the c:asethat p and q are arbitrary programs, it is enough to note that the four axioms allow any program to be proved congruent (~1) to its normal form. cl In view of our axioms, then, it is intuitively clear that IV,,/-, is isomorphic with the set of rooted, unordered finite trees whose arcs are labeled by members of M, with the extra requirement that no two identically labeled arcs from a node lead to identical subtrees. As an example, the two programs pl, ql are represented by the distinct trees
Indeed, we may use our language Yof Section 2 to show that thesetwo programs are not congruent (or even equivalent), for in terms of 9’we have
Pl I= A, 41 t# A, where A, is @( @T A @T). Theorem 3.1 and the propositions leading up to it set the pattern for the remaining five algebraic characterizations of congruences treated in the paper, though the details usually are more difficult. 3.2. EXAMPLES. This section is devoted entirely to examplesthat substantiate the remarks at the end of Section 2.2. We use I+‘,, as processes,whose elements are described by trees, and the experiment relations as given by the rules (+ l), G+ 2), (- 3). Example 1. Let pI , q1 denote the programs
We have seen in Section 3.1 that
PI I= AI, 41 F Al, where A, is the formula @ (@T A @T). Now A, E JZ, so p1 +A ql. On the other hand one can show, by induction on A, that if A E /I: then pI l= A if and only if q1 l= A. It follows that pi -,v q1 so that -4 is strictly stronger than -/. Cl Example 2. Let ~2, q2 denote the programs . PI and A42 Algebraic Laws for Nondeterminism and Concurrency 147 If A E J%,then p2 l= A if and only if q2 l= A. This depends on the fact that if A E /y and NIL l= A then p l= A for every program p. Thus, p2 -X 42. On the other hand if A2 denotes 1 @T, then p2 l= A2 and q2 F A2. From Theorem 2.2 it follows that p2 * 42.9 o - is strictly stronger than -x. Cl Example 3. We now show that the sequences-n and Cn, n 1 0, of relations are strictly decreasing.For let the pairs pn, qn be defined as follows, for each n 2 0: PI PI cc2 Pn :-...... , \ J n times r L \ ccl P3 :-. PI ...... qn Then it is simple to prove that pn -,, qn and p,, Cn qn, but p,, -n+l qn and p,, I$ n+, qn, for each n L 0. Cl Turning to the formulas of z we remark that for each n L 0, the relation -,, is characterized by the sublanguageYn of 58 consisting of formulas with nesting at most n of the modal operators 0; that is, p -,, q iff Yn(p) = 5$(q). This is in fact shown, by induction on ~1,in our proof of Theorem 2.2 given in Appendix A. However, Example 3 leaves something to be desired. For it shows that the weakness of each -n or Yn follows, in part, from its inability to “examine” a program’s behavior beyond its first n actions. This weakness can be remedied as follows. We may consider, in place of the experiment relations 3, the derived relations 2 for each s E M*, where
*-* Pk p-k!+ . . . As+, P c1’ ‘4 iff We may then define a map E* of relations over P as follows: (p, q) E E*(S) if, for all s E M*, (i) p L p’ implies, for some q’, q z q’ and (p’, q’) E S, (ii) q 5 q’ implies, for some p’, p & p’ and ‘(p’, q’) E S. Then we take -z = E*n( P x P), and -* = n,, -z. Now each -f , even -7, can “examine” the behavior of programs arbitrarily far into the future. In fact, -: is already quite strong; we can state that
In other words, p -: q iff p and q have exactly the same action sequences.On the other hand, in the limit we can show that
In other words, we have yet another characterization of the observation equivalence. But is it necessaryto proceed to the limit, setting -* = fl, -,*, or do we have -* = -,* already for some finite n? If the latter were so, then our “recursive definition” of - would have been misleading. But we can indeed show that the sequenceof relations -,*, n 2 0, is also strictly decreasing.For this we need a more complex sequenceof program pairs than Example 3. 148 M. HENNESSYAND R. MILNER Example 4. Let the pairs pn, q,, of programs be defmed as follows, for each n z 0:
40: P3 I
Note that pI , q1 alre the programs of Example 1 above. Note also that p,, -e qn for all n L 1, since pn and qn have the same action sequences. But, as in Example 3, we are able to show (we omit the proof) that p,, -,* qn but p,, *;+I q,, for each n. The reader may care to verify this at n = 2:
Now, finally, it should be clear that if we take Y* to be the formulas defined as for Y but with modal operators 0s , s E M*, then Theorem 2.2 yields P -* q iff g*(P) = ~*(d. This is no surprise., since -* and - are identical and since Y* is already a derived language of Z by setting
But we also have a.characterization of each -,*: P -IF 4 ifl -%Xp) = Z?(q) where Y,* is the sublanguage of 9’ in which the modal operators @ may be nested to depth at most n. Thus, arbitrary depth of nesting is required in P’*, even for its more powerful modal operators, in order to characterize -* fully. Clearly a simple nesting of the form @ @ is no more powerful than the single operator 0ss ; it is the interleaving of propositional and modal operators that adds power. Indeed, we saw in Section 2.2 how the alternation of Owith its dual 0 allowed the expression of complex properties concerned with deadlock. 3.3. UNOBSERVABLE ATOMIC ACTIONS IN 2,. In the system of Section 3.1, every atomic action is observable; a program cannot proceed without being observed. Let us now suppose that among A4 there are atomic actions that cannot be observed; such PI = PI(CLZWW + dNW), ~2 = P~(cczWW. Using the remarks at the end of Section 3.1, these may be representedby the trees: When an atomic pi-experiment is performed on pI , one possible result is that it changespI into NIL. This follows becausethe execution of the action ccl by the program pI may be followed by the execution of the unobservable 7 action. Intuitively, this is an acceptable pi-experiment since of this sequenceof actions performed by the program the observer only seescam. However, the only possible result of performing a pi-experiment on p2 is the program pz(NIL). It follows that pl is not observationally equivalent to ~2. This inequivalence may also be seen using the language Y since PI I= A, ~2fA, where A is @(l @T). Cl For simplicity we assume that T is the only unobservable atomic action. (This may be formally justified; if there were two such, 7, and TV,we would arrive at an axiom TV = 72(x)-indicating that the replacement of 71 by 72 can affect no observation.) We therefore assumeM = A U (~1(T 4 A), and we define a new set (Rx ] X E A) of experiment relations as follows. First, define 2 over IV,,, for any s = PI . . . p,, E M*(n 2 0), by P&P’ iff p = po 3 pj 143a** *pnlJn =p’. Then, writing Rx as a, we define for each X E A PAP p 1 p’ iff P - P’ for some m, n 2 0. Thus our new atomic observation A may absorb any finite sequenceof unobserv- able actions before or after the action A. It is easy to check that each 9 is image- finite. We obtain now a new observational equivalence relation = over IV,,, using the definition of Section 2, with the relations .,a[IX X E A). This induces, as before, an observational congruence zC (the largest congruence contained in =), but this is not identical with =. Indeed, the latter in not a congruence. For example, it is easy to check that r(NIL) z NIL; but if we place each of these programs in the context %[ ] = X,(X2(NIL) + [ 1) we obtain JZ[T(NIL)] + %[NIL] as may be readily checked (this is in effect the pair plp2 discussedearlier). The fact that = is not identical to zC makes the latter more difficult to analyze than the congruence -C of Section 3.1. However, it is easy to show that zC distinguishes no more programs than -C. 150 M. HENNESSY AND R. MILNER PROPOSITION. For all pI, p2 E W,, (a) pI - p2 imphes pI = p2. (b) pI mcp2 impks pI =:ep2. (a) A simple induction on n will show that - G z~. (b) We have -c G - !Z Z. Hence, since zc is the largest congruence contained in =, it follows that -c G q. cl From this proposition it immediately follows that q satisfiesall the axioms that characterize uc. In addition, it enjoys some properties that indicate that certain occurrencesof 7 may be eliminated from programs. PROPOSITION. The following hold for all pI , p2 E Wz,: (4 pI + 7~1 zc 7~1. (b) C~(PI+ 7~2) =c P(Pl + P2) + /.4P2. A direct proof of any one of these properties would involve consideration of the effect an arbitrary context can have on the terms involved. To avoid this we give in Appendix C an alternative characterization of =:c that is much easier to deal with. The proof of this proposition then becomesroutine. One may motivate the new properties by seeinghow an observer might attempt to distinguish between the two programs in each case.For example, the programs in (a) may be representedas From these trees it can be seen intuitively that the extra p,-subtree on the left- hand side does not change its $+ experiments because 7 is unobservable. Such arguments, however, are fraught with danger and should be treated carefully. A somewhat surprising result is that thesetwo additional properties are sufficient to characterize the new observational congruence. THEOREM 3.2. The observational congruence zc over I;, is exactly the congru- ence induced by axioms (A l )-(A4) and (A5) x + 7x = 7x, 646) /.4x i- 7Y) = Ax + Y) + PY. This theorem is not so immediate as Theorem 3.1, partly because = is not a congruence. It involves defining a normal form for programs in WZ,; the most important step in deriving the normal form is the use of (A6) to eliminate most occurrences of 7 in a program. 4. Application to a Simple Language for Communication 4.1. EXTENSION OF THE SIGNATURE. We now extend Zi to the signature 22 by adding a binary olperator“ 1 “; it is one of a variety of operators that may be chosen to represent the combination of a pair of programs that may proceed concurrently Algebraic-Laws for Nondeterminism and Concurrency 151 and may also communicate with one another. These two properties are reflected by separate new conditions upon the experiment relations 3. One condition (in two parts) states that the program p 1q admits all the experiments that p and q admit separately. (Since an atomic experiment corresponds to a single atomic action, the simultaneous activity of p and q cannot be observed.) (+4) Ifpzp’, thenplq&p’lq. (-5) Ifqzq’, thenpIqzplqq’. The next condition upon the relations 3 expressesthe capability of p and q to communicate, in the casethat two actions-one by p and one by q-complement each other. We take the view that two such actions occurring simultaneously appear to an external observeras a single, unobservableaction 7. To handle the notion of complementary actions, we introduce a little structure over M. We assumeM = A U (7) as before, and also that A = A U 3 where A is a possibly infinite alphabet of names, and that the alphabet 2 of conames is disjoint from A and in bijection with it. We represent the bijection and its inverse by an overbar (-), and use {a, /3, y) to range over A. Thus E E & and z = (Y.We continue to use X to range over A, and ~1,v to range over M = A U (7). Communication between p and q may occur when p admits a X-experiment and q admits a x-experiment, for some X; the result is a T-action of p I q. (46) IfpAp’andq>q’,thenplqI*p’lq’. Now taking {% 1~ E M) to be the smallest relations over ?Vz2satisfying (+ 1)-(+ 6), we obtain an observational equivalence- over Wz2as in Section 3.1. As before, this turns out to be a congruence, so that -C is identical with -. Let us now examine properties of-C with respectto the new binary composition operator. Intuitively, the behavior of p 1q is as follows. Its possible first actions are just those ofp independently, those of q independently, and those 7 actions resulting from complementary pairs of actions by p and q; after such a first action, p and q continue to act in parallel. To expressthis as an equation, we use the notation C pipi introduced in Section 3.1. PROPOSITION.If p is C pipi and q is C vi%, then PI 4 -c f: dPi I 4) + F vj(P I 4i) + C- 4Pi I C&h PFDj A few simple examples makes the proposition clear. Note particularly that, in the second example, the action /3 may either occur independently or be comple- mented by the action p, we shall see later how the complementation can-by application of a further operator called restriction-be forced to occur, so that the name /3is used solely for communication between p and q in the composite p 1q. Examples tap* + BP2) 174 = 4Pl I Yd + HP2 I 74) + YGPl -f PP2) I d, bP1 + BP21 I &I = 4Pl I !%I)+ NP2 I m + i%OPI + BP2 I cd + 4P2 Id, (C pipi) 1NIL = z pi(pi 1NIL) + NIL + NIL. Note that the proposition allows “ 1” to be eliminated, by stages,from any word in W,,. In fact, it is this property of “ 1n that allows us to prove that the proposition, 152 M. HENNESSY AND R. MILNER taken as an axiom1schema, is the only interesting property of “ 1” with respect to UC. (A7) For any WOAS u and v of form C Pi-Xi,z VjVj: UlV= C c(i(&Iv)+ C vj(UlYj)+ C T(XiIyi). i i pi=ii Now we may state another theorem of complete axiomization. THEOREM 4.1. The observational congruence yc over W,, is exactly the congru- ence induced by (.AI)-(A4) and (~47). Remark. The following laws for “ 1” may be proved to hold over W,, by induction on the structure of terms (though they are not deducible from (Al)- (A4), (A7) by equational reasoning):. Xl(YlZ) = (XIY)IG XIV = YIX, xlNIL = x. 4.2. UNOBSERVABLE ACTIONS IN 22. We now ,repeat for ZZ what we did for Z,; we wish to treat 7 as an unobservable atomic action (in particular, the intercommunication of p and q in p 1q is not an observable action). If we define the experiment relations (3 1X E A) as we did previously, then we gain an observational congruence x, over W,, again. We might expect this to be exactly the congruence induced by the axioms (Al)-(A7), but this is not the case, since (A6) is not satisfied by =:cover W,,. The reason is that, although one side of (A6) may be replaced b!/ the other in any context built from Zi, preservingobservational equivalence, there are & contexts built using “ 1” in which the replacement does not preserve the equivalence. In fact, we shall demonstrate in particular that the following instance of (A6) is false: a,@NIL + 7NIL) z, @NIL + NIL) + cuNIL. For this would imlply the observational equivalence rNIL 1@NIL + TNIL) = rNIL 1(a(@NIL + NIL) + cuNIL). (1) Calling the left and right sidesof (1) p and q, respectively,we have PS P’ = yNIL 1(@NIL + TNIL), whereas q 2 q’ implies that q’ = q1 or q’ = q2 where q1 = rNIL 1(/3NIL + NIL), qz = rNIL 1NIL. Now if (1) holds, then by definition of = we must have p’ x q1 or p’ = 42. The second is impossible since p ’ 2 yNIL 1NIL whereas q2 $ q; is impossible. Hence p’ + qz. On the other hand, we may also show p’ + ql. Since p’ & NIL 1NIL, whereasthe only 646.1) dx+~Y)=&+~Y)+PY, (pE1M) W-W WY = PY, 1 These axioms are indeed implied by (Al)-(A6). First observe that (A6.2) follows by placing x = NIL in (A6) and using the other axioms. Then to get (A6.1) place 7y for y in (A6): /4x + TTY) = P(X + TY) + WY, and use two instances of (A6.2). THEOREM 4.2. The observationalcongruence q over W,, is exactly the congru- ence induced by (Al)-(A5), (A6. I), (A6.2), and (A7). This theorem is the central result of our paper, since the method not only generalizes in a routine manner to the corresponding theorem for our next signature &, but also applies we believe-with minor adjustments-to many other signatures and experiment relations representing concurrent and communicating activity. The axioms (Al)-(A$ (A6.1), and (A6.2) seem to be what is required for the operators in 2, in the presence of extra operators for communication and concur- rency. 5. Further Operators on Programs In the preceding sections we have dealt with the main technical results of the present paper. This requires only slight extension to cover the operators of CCS [6], and we present the required extension in this section. In [4] we considered operators over behaviors corresponding to &, together with two other families of operators called relabeling and restriction; in the present context, these operators may be described as changing (bijectively) the labels for atomic experiments (i.e., permutations of A), and restricting the class of atomic experiments to a subset of A. The approach in [6] was to classify behaviors into sorts; a sort L was a subset of A, and the behaviors B= of sort L were those that employed only members of L as labels. Here we do not consider sorts; these may be later introduced and are indeed useful in providing a stronger basis for reasoning about realistic programs. More- over, we can treat relabeling and restriction as subclasses of a wider family of operators indexed by a subset of the partial functions M +P A4 from M to M. To this end we extend & to the signature Z3 by adding operators We shall postfix these operators. We characterize them operationally by adding a further condition for the experiment relations 3: (+ 7) If p % p’ and Si is defined, then p[SJ * p’[Sj. Now we take 114,I+ E Ml to be the smallest relations over WE, satisfying (+ 1)-(+ 7), and again obtain an observational equivalence - over WE,,which is a congruence, so that again -C is identical with -. 154 M. HENNESSY AND R. MILNER (Al) x+(y+z)=(x+y)+z (A2) x+y=y+x (A3) x+x=x (A4) x+NIL=x (A5) x + TX := TX 646) /4x + TV) = P(X + Y) + PY (A6. I) p(x + ry) = P(X + TV) + py (A6.2) hrry = py (A7) if u is ZpiXi and v is BUjfi, then u 1 v = Zpi (xi 1 V) + ZVj (U 1 yi) + z,,cj &Xi 1 fi) WV (P.4 VI = G4xm if Sp defined = NIL othewise (A9) (x + ~1PI = XVI + YISI / (A 10) NIL[S] = NIL FIGURE I TABLE 1. RELATIONSHIP BETWEEN AXIOMS AND CONGRUENCES Signature Axioms for -c Axioms for se Z, = A4 u {NIL, +) (A5), (A6) 21 = 2, u I 1 ) (A7)- (AS), (A6.11, (A6.2), (A7) ZJ = :cz u 9 (A7)-(A 10) (A5), (A6.1), (A6.2), (A7)-(A 10) The axioms needed to characterize P’ are the obvious ones: (A8) (@)[ S] = $(x[S]) if Sp is defined, NIL otherwise; (A9) 0 + YNSI= ~14 + ASI; (AlO) NIL[S] = NIL. THEOREM 5.1. The observational congruence mcover Wz, is exactly the congru- ence induced by (A I)-(A4) and (,47)-(A 10). The treatment of experiment relations {A ] X E A) and the corresponding observational congruence + over W,, is exactly as it was for Wz2,and by trivially adapting the proof of Theorem 4.2 we obtain THEOREM 5.2. The observational congruence =, over W,, is exactly the congru- ence induced by (A l)-(A5), (A6. l), (A6.2), and (A7)-(A 10). 6. Conclusions We have characterized observational congruence in six casesby equational axioms. There are three signatures, Z1 C & G &, with Z3 being a minor variant of the signature used in the language CCS [6]. For each of those cases,two classesof experiments relations are considered: (3 ] p E Ml when the atomic action T is observable,and {.A ] X E A) when T is not directly observablebuy may “occur” a finite number of ltimes during any atomic experiment. The set of axioms used in the paper is given in Figure 1. The correspondencebetween the axioms and various observational congruences may be tabulated as shown in Table I ((Al)-(A4) are needed in every case). Furthermore, we believe that the replacement of (A6) by two axioms (A6.1) and (A6.2) will be needed with the introduction of any operator representing concurrent activity, in place of “ ] “, and that this replacement persists with the addition of any reasonable family of partial relabeling operators (even multivalued ones, though we restricted consideration to single-valuedrelabeling). The following Appendixes provide detailed proofs of the theorems. Algebraic Laws for Nondeterminism and Concurrency 155 Appendix A. Proofs of General Results on Observational Equivalence This Appendix is devoted to the proofs of Theorems 2.1 and 2.2. We assumethe notations and definitions introduced in Section 2. THEOREM 2.1. If each Ri is image-finite, then - is the maximal solution to S = E(S). PROOF. (9 - G E(-) Supposep - q and (p, p’ ) E Ri. Then for each n there exists q,, such that P ’ -” qn and (q, q,J E Ri. Since Ri is image finite, there exists q’ such that q’ = qn for infinitely many n. But -n is decreasing in n, hence p’ -,, q’ for all n, and so p’ - q’; also (q, q’) E Ri. By symmetry it follows that (p, q) E E(-); hence - C E(-) since p and q were arbitrary. (ii) E(-) C - We prove by induction on n that (p, q) E E(-) =$ p -n+l q. Let (p, q) E E(-) and (p, p’) E Ri. Then (q, q’) E Ri and p’ - q’, for some q’. From (i), it follows that (p’, q’) E E(-). By induction, p’ -,, q’. Similarly, if (q, q’) E Ri, there existsp’ such that (p, p’) E Ri and p’ -,, q’. Therefore, p -n+l q. (iii) Let S be any relation such that S = E(S). We prove by induction on n that (P, q) E S*P -,,+I q. Let (P, q) E Sand (P, P’) E RimThen (P, 4) E E(S). So (q, q’) E Ri and (p’, q’) E S, for some q’. By induction, p’ -,, q’. From symmetry it follows that p -,,+ I q. Therefore, ( p, q) E S + p - q. cl THEOREM 2.2. If each Ri is image-finite, then p - q if and only if 9’(p) = WC?). PROOF. Let 9n G 9’ be the classof formulas with depth at most n of “modal” operators Q. Let 5$(p) = (A E L$I p I= A). To establishthe theorem it is suffkient to show that p -,, q if and only if 5$(p) = 5$(q). We use induction on n. (i) n = 0. For any p and A E L%, p I= A iff A is logically equivalent to T. So 5&(p) = L$$(q) for every p, q and the result follows since p -0 q for every p, q. (ii) p -n+l 4 implies %+,(a) = .%+1(q). We show by structural induction on A E L4+, that, if p -n+l q and p I= A, then q I= A. Let p I= A. If A is T, the result is trivial. Consider now the other casesfor A. (a) A is QB, B E 5%. Then (p, p’) E Ri with p’ I= B, for some p’. Since p -n+~ q, there exists q’ such that (q, q’) E Ri and p’ -,, q’. By induction on n, q’ I= B. So qt=A. (b) A is TA’. Then not p I= A’. Now if q I= A’. Then by structural induction p I= A’, which is a contradiction. Therefore, q k 1A’. (c) A is Al A Al. Then p I= A, and p K AZ. By structural induction, q I= A, and q I= A2 and therefore q k=A. (iii) p -,+, q implies .%+I (p) f %+I (4). Sincep -,,+, q, without loss of generality, we can assumethat there is an i and p’ such that (p, p’) E Ri, and (4, 4’) E Ri + p’ -, 4’. Since Ri is image- finite, let (q,, . . . , qkJ = (q’ 1(q, 4’) E Ri). By induction, Z(p’) # Yn(qi) for 156 M. HENNESSYAND R. MILNER each i, 1 5 i ~2k. So there are formulas &, . . . , B,, such that p’ I= Bi and not qi l= B;, Bi E I$. Then p’ l= B and not qi l= B, where B denotes BI A . . . A B,,. Therefore,, p l= @B and not q l= @B, that is, 5$+,(p) # .5~%+~(q). 0 Appendix B. Proofs of Results Concerning mc This Appendix is devoted to the proofs of the completeness of the axiomatizations of NCover the three signatures Z,, &, and Zj. Recall that these results deal with the case in which all actions, including 7, are observable. The result for Zi, concerning axioms (Al)-(A4), was proved as Theorem 3.1. The other two theorems, 4.1 and 5.1, will be reduced to Theorem 3.1 by the following Extension Lemma. Definition B 1. Let Z C Z’; let R be a relation over IV, and R’ over I+‘,, . Then R’ is a conservativeextension of R if R’ fl W$ C R. EXTENSION LEMMA. Let I; C Z’, and let R and R’ be equivalencerelations over W, and W,, such that R C R’. Let S be an equivalencerelation over W,, such that (i) S is a conservativeextension of R, (ii) R’ C S, (iii) For each t in Wz,, there exists a normalform nf(t) in Wz such that (t, nf(t)) E R’. Then R’ = S. PROOF. Suppose (p, q) E S. Then, from (iii), (p, nf(p)) E R’ and (q, nf(q)) E R’; from (ii), &f(p), nf(q)> E S; from (9, (nf(p), nf(q)) E R. Therefore, (p, q) E .R’ since R C R’. 0 Let =2 be the congruence over W,, generated by the axioms (Al)-(A4) and (A7), and ‘3 over W,, by ‘(Al)-(A4) and (A7)-(AlO). COROLLARY (a) Theorem 4.1: For p, q E WE,,p 3 q tj-p -c q. (b) Theorem 5.1: For P, 4 E W.,, P ‘3 q iffy mc 4. PROOF. We prove (b) only, the proof of (a) being similar. We apply the Extension Lemma, with Z = Zi, Z’ = 23, R = =I, R’ = ‘3, and S the observational congruence -c over W,,. As for Theorem 3.1, we leave it to the reader to show that - is a congruence and satisfies the axioms (Al)-(A4) and (A7)-(AlO). This establishes hypothesis (ii) of the Extension Lemma. Also by using axioms (A7)-(AlO) all occurrences of “ ] ” and [S] can be eliminated from terms in W,,. This establishes hypothesis (iii). It remains to show that - is a conservative extension of =I. Let -’ be the observational equivalence over Wz,, which uses as experiments the least relations satisfying (+l), (+2), and (-3). From Theorem 3.1, p =l q iff p -’ q. A simple proof by structural induction will establish that for all p, q E W,,, p - q implies p -’ q. Cl Appendix C. Proofs of Results Concerning zc This Appendix is mainly devoted to proving the principal result of the paper, Theorem 4.2, which deals with the axiomatization of zC over signature Z2; recall Algebraic Laws for Nondeterminism and Concurrency 157 that this differs from Theorem 4.1 in that 7 is now unobservable. Section C 1 deals with the soundness of the appropriate axioms and Section C2 with their complete- ness. The proofs of the analogous Theorems 3.2 and 5.2 for signatures Z1 and L13 are outlined in Section C3. Cl. SOUNDNESSOF THE AXIOMATIZATION OF =, OVER SIGNATURE 2~ Let = denote the congruence over W,, induced by the axioms (Al)-(A$ (A6. l), (A6.2) and (A7). We show that p = q implies p % q. First, generalize the experiment relations by defining: p a q if p 5 q for some n > 0. For /I E A U (7) let Der,(p) = (qlp& qj. Now let =’ denote the maximal solution to the equation s = E’(S), where (p, q) E E’(S) if for all fl E A U (T), (i) p’ E Der,(p) implies (p’, q’) E S, for some q’ E Der,(q). (ii) q’ E Der,( q) implies (p’, q’) E S, for some p’ E Der,(p). The existence of =’ follows from Theorem 2.1. It must be observed that =’ differs from =:c; in particular it will not satisfy axiom (A6.2). But the following lemma is enough for our purpose: LEMMA (a) =’ is a congruence over W,,. (b) p ‘= ’ q implies p =‘c q. PROOF (a) By structural induction on terms. (b) By structural induction, we can prove that p =’ q implies p = q, The result then follows from (a) since z, is the largest congruence contained in =. Cl THEOREM 4.2, PART (i) (SOUNDNESS). For p, q E W,,, p = q implies p x, q. PROOF. It is sufficient to show that if aI = a2 is an instance of any axiom then 4 zc a2. Let al = a2 be an instance of any axiom other than A6.2. In this case it is easily seen that for P E A U {T), Der,(al) = Der,(as). It follows that al Z’ a2 and therefore by the lemma, al =:ca2. In case of an instance of A6.2, a simple proof by induction on Z2 contexts Z[ ] will show that %[a,] = %[a,]. •I C2. COMPLETENESSOF THE AXIOMATIZATION OF zc OVER SIGNATURE X2. In this section we show that p zc q implies p = q. Definition. p is a sumform if it is of the form 2 p/pi, where each pi is a sumform. (Note that NIL is a sumform.) Definition. p zS q (sumcongruence) if p = q may be proved using (A 1) and (A2) alone. That is, =s is the congruence induced by (Al) and (A2). ABSORPTION LEMMA. If p E WX, and q = p’ for some p’ that is a p-derivative ofp, then pq + p = p. PROOF. By induction on the structure ofp. We may assume that p has the form ClsisnCLiPi- 158 M. HENNESSYAND R. MILNER Case (i). p =: /Liand q s pi. Then p + pq E p + pipi = p using (Al)-(A3). Case (ii). p = si and q = d, d E Der,(pi). By induction pi + 7q E pi. Therefore p + pq s JJ+ pipi + piq using (Al)-(A3), -’ P + IdPi + 74) + Cciq, E p + pi(pi + 79) from (A6.1), = p. Case (iii). pi = 7 and q = d, d E Der,(pi). By induction, pi + pq 3 pi. SO p + 114s p + 7pi + pq using (Al)-(A3), E P + dPi + Ccd + r4; s P + 4Pi + d + Pi + cLq + 1*q, from (AS), E P + dPi + /NJ + Pi + MT from (A3), = P + 4Pi + W?) from (A5), = p. DeJinition. A sumform p = C pipi is a proper normal form if (i) it is not of the form 7~‘; (ii) each pi is a proper normal form; (iii) for i # j, pi is not sumcongruent (=J to any pci-derivativeof pjpj. An improper normalform is rp, where p is a proper normal form. A normal form is either a proper or an improper normal form. NORMAL FORM LEMMA. Every sumform p is congruent to a normal form. PROOF. By induction on the structure of p. Let p be Clsisn pipi+ By induction and (A6.2) we m,ay assume that each pi is in proper normal form. Suppose that, for some k # j, there exists d E Der,,,(pjpj) such that pk = d. From the Absorption Lemma ,.&pki- pjpj s /Ljipj.SO p E zi+k pipi and the E3Uh IlOW fOllOWSby induction on the number of occurrences of duplicate derivatives. Cl DERIVATIVE LEMMA. The following are equivalent for normal forms p and q: (1) P’s& (2) Each p-derivative of p is a sumcongruent to a p-derivative of q, and vice versa. PROOF (1) implies (2): Immediate. (2) implies (1): Let p = C Xidi f C 7ej and p’ = 2 Xl d,! + C Te,!be normal forms with sumcongruent derivatives, where Xi, Xi’ E A. (A) We first show that each ej is a sumcongruent to some ei and vice versa. Take et. Since er E Der,(p), it is sumcongruent to some r-derivative of p’, say el or one of its T-derivatives.In the former case,we are done; assumethe latter. But el is, by assumption, sumcongruent to ej or one of its T-derivativesfor some j, j # 1 since el is a proper subexpressionof e; up :o sumcongruence.In either case el is sumcongruent to a T-derivative of rej, a contradiction since p is a normal form. (B) Next, we show each di sumcongruent to some d[, Xl = Xi, and vice versa. Take d,. Since d, E Derx,(p), it is sumcongruent to some &derivative of p’. This cannot be a X,-derivative of some Te;-hence of some Tej-since p is normal. Algebraic Laws for Nondeterminism and Concurrency 159 Hence, either dl =, dl say, with X; = XI, and we are done, or dl E Der,(d;) up to congruence. In the latter case d;, a X,-derivative of p’, must be sumcongruent to a X1- derivative of some summand of p, not XIdl itself since dl is a proper subexpression of d; up to sumcongruence. Hence, d, is sumcongruent to a X,-derivative of the same summand, a contradiction since p is normal. Combining (A) and (B), p =s q follows. Cl THEOREM 4.2, PART (ii) (COMPLETENESS). For p, q E Wz,, p cc q implies p = q. PROOF. Since everyp E W,, is congruent under = to a sumform (by the axioms, especially (A7) to eliminate “ 1”) and thence to a normal form (by the Normal Form Lemma), by the SoundnessTheorem (Theorem 4.1, Part (i)) it is enough to consider normal forms p, q. (A) p, q are proper normal forms. We prove by induction on the structure ofp and q that, for x0 not in p or q, p + q implies Vae k. p I X6 + q I X6, where “Vae k.” means “for almost all k”, and ti stands for XOprefixed k times to NIL. Case 1. q is sumcongruent to a T-derivative of p. Since p is a proper normal form, p = pd + Te + . . . with q E Der,(Te) up to sumcongruence. (9 CL= 7. Then for arbitrary k ~I%+‘~dlti, whereas q 1xgk+’ *X0 r implies r = q’ Iti,“, where q’ E Der,( q) or q’ = q, and so q’ E Der,(Te) up to sumcongruence. Since p is normal, d +S q’, whence by induction Vae k. d I X8 + q’ 1%. Since the number of possible q’ is finite, we also have Vaek.plX6+ql& (ii) ~1# 7. Then for arbitrary k r,lXok~ddlti, whereasq 1A$ & r implies r = q’ I& where q’ E Der,( q) and so q’ E Der,( 7e) up to sumcongruence.As before, d +s q’, and we previously proceed as in (i). Case 2. Neither p nor q is sumcongruent to a T-derivative of the other, and p $ q. Then by the Derivative Lemma, without loss of generality, for some p and p’, p’ E DerJp) but p’ is sumcongruent to no p-derivative of q. (i) cr = T. Then for arbitrary k whereasq 1ti+’ P r implies r = q’ 1X8, where q’ = q or q’ E Der,( q). In either casep’ $ q’, and we proceed as in Case 1. 160 M. HENNESSYAND R. MILNER (ii) p # T. Then for arbitrary k whereas q ] Xi :k r implies r = q’ ] X,“, where q’ E Der,(q). Then, p’ +s q’ and we proceed as in Case 1. (B) p, q are arbitrary normal forms. If p ==cq, then also p + XO =, q + x0, where X0does not occur in. p or q, and both are proper normal forms. Hence by (A) p + x0 =s 4 + x0, from which p =S q follows. C3. PROOFSOF THEOREMS 3.2 AND 5.2 C3.1. Outline ojrProof of Theorem 5.2. The proof just given for Theorem 4.2 can be adapted in a trivial manner to obtain Theorem 5.2. The axioms (A8)-(AlO) hold for zc and also normal forms exist for the extended language since these axioms allow us to eliminate all instances of the operator [S]. C3.2. Outline qf Proof of Theorem 3.2. Let = denote the congruence over I+‘,, generated by (Al)-(A6). To prove soundness, that is, p = q + p zc q, it is more convenient to have a simpler representation of +. DetinepZ qifforallpEhU (7) (i) p’ E Der,(p) implies p’ = q’, for some q’ E Der,(q). (ii) q’ E Der,(q) implies p’ = q’, for some p’ E Der,(p). It is easy to see that Z is a congruence contained in = and with a little work it can be shown to coincide with zc. With this characterization, it is easy to prove that every instance ‘of the axioms (Al)-(A6) satisfies zz, and soundness follows. To prove completeness, we use the same approach as in Section C2. This time we require a different notion of normal form, in which 7 may only appear at top level: (i) NIL is a tight normal form. (ii) ZpiNi is a normal form if (a) each Ni is ;atight normal form, (b) if pi = pj then Ni +s Nj, (c) if pi = 7 and pj = X then PjNj is not sumcongruent to any summand of Ni. (iii) ZiwNi is a tight normal form if (a) it is a normal form, (b) pi # T, 1 5 i 5 n. Using (A5) and (A6), every term in FV,, can be reduced to a normal form. By structural induction, we can then prove that N = N’ implies N =S N’ for tight normal forms. By extending this result to arbitrary normal forms, the result is established. Cl Algebraic Laws for Nondeterminism and Concurrency 161 REFERENCES I. GORDON, M. J. The Denotational Description of Programming Languages. Springer-Verlag, New York, 1979. 2. HENNESSY,M., AND MILNER, R. On observing nondeterminism and concurrency. In Proceedings of the 7th Colloquium on Automata, Languages and Programming. Lecture Notes in Computer Science, vol. 85. Springer-Verlag, New York, Berlin, Heidelberg, 1980, pp. 299-309. 3. HENNESSY,M., AND PLOTKIN,G. D. Full abstraction for a simple parallel programming language. In Proceedings ofthe 8th MFCS Co&ence(Olomouc, Czechoslovakia). Lecture Notes in Computer Science, vol. 74. Springer-Verlag, New York, 1979, pp. 108-121. 4. MILNE, G., AND MILNER, R. Concurrent processesand their syntax. J. ACM 26, (1979) 302-321. 5. MILNER, R. Synthesis of communicating behaviour. In Proceedings of the 7th MFCS Conference (Zacopane, Poland). Lecture Notes in Computer Science, vol. 64. Springer-Verlag, New York, 1978, pp. 7 l-83. 6. MILNER, R. A Calculus of Communicating Systems. Lecture Notes in Computer Science, vol. 92. Springer-Verlag, New York, 1980. 7. PLOTKIN,G. D. A powerdomain construction. SIAM J. Comput. 5, 3 (1976), 452-487. 8. PNUELI, A. The temporal logic of programs. In Proceedings of the 19th Annual Symposium on Foundations of Computer Science (Providence, R.I.). IEEE, New York, 1977, pp. 46-57. 9. PRATT, V. R. Semantical considerations of Floyd-Hoare logic. In Proceedings of the 17th Annual Symposium on Foundations of Computer Science. IEEE, New York, 1976, pp. 109-12 1. 10. SMYTH,M. Powerdomains. J. Comput. Syst. Sci. 15, 1 (1978), 23-36. 11. STOY, J. E. Denotational Semantics: The Scott Strachey Approach to Programming Language Theory. MIT Press, Cambridge, Mass., 1977. RECEIVED DECEMBER 1980; REVISED MAY 1984; ACCEPTED JULY 1984 Journal of the Association for Computing Machinery, Vol. 32, No. 1, January 1985.